[
https://issues.apache.org/jira/browse/NIFI-6994?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andy LoPresto updated NIFI-6994:
--------------------------------
Description:
If the flowfile repository changes from encrypted -> unencrypted or vice-versa
on startup, the application should handle the change.
* Unencrypted -> encrypted: This is handled by default for
{{SequentialAccessWriteAheadLog}} ->
{{EncryptedSequentialAccessWriteAheadLog}}, but {{RocksDBFlowFileRepository}}
and {{MinimalLockingWriteAheadLog}} are not yet covered.
* Encrypted -> unencrypted: Detect encrypted flowfile records and change
SerDeFactory logic to instantiate encrypted serde for decrypt during initial
recovery only. This depends on the key(s) for the key IDs used still being
available via {{nifi.properties}}.
This process may be very slow given large existing repositories, so a
standalone tool should also be made available to perform this process outside
of the running app.
was:
If the content repository changes from encrypted -> unencrypted or vice-versa
on startup, the application should handle the change.
* Unencrypted -> encrypted: Attempt to create an {{InputStream}} instance to
read the existing content into memory and write them back using
{{EncryptedContentRepositoryOutputStream}}
* Encrypted -> unencrypted: Attempt to create a {{CipherInputStream}} instance
to read the existing events into memory and write them back using
{{OutputStream}}. This depends on the key(s) for the key IDs used still being
available via {{nifi.properties}}.
This process may be very slow given large existing repositories, so a
standalone tool should also be made available to perform this process outside
of the running app.
> Handle flowfile repository encryption status change on startup
> --------------------------------------------------------------
>
> Key: NIFI-6994
> URL: https://issues.apache.org/jira/browse/NIFI-6994
> Project: Apache NiFi
> Issue Type: Sub-task
> Components: Core Framework
> Affects Versions: 1.2.0
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Priority: Major
> Labels: encryption, provenance, security
>
> If the flowfile repository changes from encrypted -> unencrypted or
> vice-versa on startup, the application should handle the change.
> * Unencrypted -> encrypted: This is handled by default for
> {{SequentialAccessWriteAheadLog}} ->
> {{EncryptedSequentialAccessWriteAheadLog}}, but {{RocksDBFlowFileRepository}}
> and {{MinimalLockingWriteAheadLog}} are not yet covered.
> * Encrypted -> unencrypted: Detect encrypted flowfile records and change
> SerDeFactory logic to instantiate encrypted serde for decrypt during initial
> recovery only. This depends on the key(s) for the key IDs used still being
> available via {{nifi.properties}}.
> This process may be very slow given large existing repositories, so a
> standalone tool should also be made available to perform this process outside
> of the running app.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
